written by Zeljko Medic

Menum

How to create Site to Site VPN in Azure Stack (with Fortigate)

I’m a huge fan of Azure Stack and love to use it for many scenarios in my work/homelab. Often, I need to connect Azure Stack to other hardware/software within my lab. That is when I rely on Site to Site VPN solutions.

One thing I’m not huge fan of in Azure stack is integrated VPN solution. I usually use third party solutions like Fortigate.

In this scenario I will show how to connect Azure Stack to Intel NUC in my local network. I have configured Fortigate VM in Azure Stack, and in my physical network there is one Fortigate 60D and behind it is Intel NUC with installed Windows Server 2016.

I would not recommend this scenario for production environment that relies on internet connection. In production environment, security should be a bit beefier.

Lab setup

So, here is my LAB setup.

Azure Stack (Main Office)

Azure Stack has public IP 192.168.102.32 that is going to Fortigate VM. Behind Fortigate VM is a small network of Windows Server 2016 VMs on 172.20.2.0/24 subnet.

VM I want to have connection to is on IP address 172.20.2.5/24

Physical network (Branch Office)

I have Fortigate 60D as a main router with public IP 10.10.9.102. Behind it is a Intel NUC which has Windows Server 2016 installed on it and it on IP address 192.168.40.5/24 (192.168.40.0/24 subnet)

I want Azure Stack VM on IP address 172.20.2.5 to communicate with Intel NUC behind Fortigate 60D on IP 192.168.40.5 as if they are on the same network.

Azure Stack Setup

Ok, first we will setup Fortigate VM on Azure Stack. This lab assumes you already have everything configured in your network and you just want to setup Site to Site VPN.

From VPN menu select IPsec Wizard

I will give name AStackMain for this site since it will simulate Main Office.

Template Type is Site to Site

NAT configuration – This site is behind NAT (This also works with No NAT between sites option if you have all default within your local network)

Authentication method – Pre-shared key (for this occasion enough, but in real world, certificates would be included). Type in a strong phrase and remember it, we will need it again in setup on Branch Office.